Quelori
← Back to home

GDPR Compliance

Effective date: March 2026

1. Our Commitment to GDPR

Quelori is fully committed to compliance with the General Data Protection Regulation (GDPR). We act as both a data controller (for our direct relationship with you) and a data processor (for the data you collect from your clients and guests through the Service).

We have implemented comprehensive technical and organisational measures to ensure that personal data is processed lawfully, fairly, and transparently.

2. Lawful Bases for Processing

We process personal data under the following lawful bases:

  • Contract performance: processing necessary to provide the Service you have signed up for.
  • Legitimate interests: processing necessary for our legitimate business interests, such as improving the Service, fraud prevention, and security.
  • Consent: where you have given explicit consent, such as for marketing communications.
  • Legal obligation: processing required to comply with applicable laws and regulations.

3. Data Processing Details

3.1 Categories of Data Processed

  • Identity data: names, email addresses, and business information.
  • Booking and transaction data: appointment details, payment records, and service history.
  • Client and guest data: profiles, preferences, notes, and communication history managed by you through the platform.
  • Technical data: IP addresses, browser information, and usage logs.

3.2 Data Processing Agreements

As a data processor for our customers, we enter into Data Processing Agreements (DPAs) that define the scope, nature, and purpose of processing, as well as the obligations of both parties. DPAs are available upon request.

4. Your Rights Under GDPR

Under the GDPR, you have the following rights:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
  • Right to Restriction of Processing (Article 18): You have the right to request that we limit the processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another controller.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@quelori.com. We will respond within 30 days.

5. Data Protection Officer

Quelori has designated a Data Protection Officer (DPO) to oversee GDPR compliance and handle data protection inquiries.

You can reach our DPO at: dpo@quelori.com

6. Data Hosting and Transfers

All primary data is hosted within the European Union on infrastructure that meets GDPR requirements. We use data centres located in EU member states.

Where data transfers outside the EU are necessary (for example, to third-party service providers), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

7. Security Measures

We implement the following technical and organisational measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls and the principle of least privilege.
  • Regular security assessments and vulnerability testing.
  • Incident response procedures and breach notification processes.
  • Employee training on data protection and security practices.
  • Audit logging of access to personal data.

8. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

9. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes the GDPR. You may contact the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

10. Contact

For any questions or concerns regarding GDPR compliance, contact us at: